{"id":867,"date":"2009-10-06T22:01:04","date_gmt":"2009-10-06T19:01:04","guid":{"rendered":"http:\/\/www.void.gr\/kargig\/blog\/?p=867"},"modified":"2009-10-06T22:05:12","modified_gmt":"2009-10-06T19:05:12","slug":"ossec-to-the-rescue","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2009\/10\/06\/ossec-to-the-rescue\/","title":{"rendered":"ossec to the rescue"},"content":{"rendered":"<p>That&#8217;s why I love <a href=\"http:\/\/www.ossec.net\/\">ossec<\/a>:<\/p>\n<p><pre><code2>OSSEC HIDS Notification.\n2009 Oct 06 17:45:17\n\nReceived From: XXXX-&gt;rootcheck\nRule: 510 fired (level 7) -&gt; &quot;Host-based anomaly detection event (rootcheck).&quot;\nPortion of the log(s):\n\nRootkit &#039;Suspicious&#039; detected by the presence of file &#039;\/var\/www\/vhosts\/YYYY.com\/httpdocs\/album_mod\/..&nbsp;&nbsp;\/...\/.log&#039;.\n\n --END OF NOTIFICATION\n\nOSSEC HIDS Notification.\n2009 Oct 06 17:45:17\n\nReceived From: XXXX-&gt;rootcheck\nRule: 510 fired (level 7) -&gt; &quot;Host-based anomaly detection event (rootcheck).&quot;\nPortion of the log(s):\n\nRootkit &#039;Suspicious&#039; detected by the presence of file &#039;\/var\/www\/vhosts\/YYYY.com\/httpdocs\/language\/lang_english\/&nbsp;&nbsp;&nbsp;&nbsp; \/... \/.log&#039;.\n\n --END OF NOTIFICATION\n\nOSSEC HIDS Notification.\n2009 Oct 06 17:45:17\n\nReceived From: XXXX-&gt;rootcheck\nRule: 510 fired (level 7) -&gt; &quot;Host-based anomaly detection event (rootcheck).&quot;\nPortion of the log(s):\n\nRootkit &#039;Suspicious&#039; detected by the presence of file &#039;\/var\/www\/vhosts\/YYYY.com\/httpdocs\/language\/&nbsp;&nbsp;&nbsp;&nbsp; \/... \/.log&#039;.\n\n --END OF NOTIFICATION<\/code2><\/pre><\/p>\n<p>Just found this by copying some files for a client from his previous hosting company to one of the hosting servers of a company I work for.<\/p>\n<p>There were actually 2 different sets of files.<br \/>\nThe first one contained a tool that &#8220;hides&#8221; a process, called: <em>&#8220;XH (XHide) process faker&#8221;<\/em>, and the second one contained an <a href=\"http:\/\/iroffer.org\/\">iroffer<\/a> executable. <\/p>\n<p>Files:<br \/>\ni)<a href=\"http:\/\/www.void.gr\/kargig\/blog\/wp-content\/xh-files.tar.gz\">xh-files.tar.gz<\/a><br \/>\nListing:<br \/>\n<code>.log\/<br \/>\n.log\/.crond\/<br \/>\n.log\/.crond\/xh<br \/>\n.log\/week~<br \/>\n.log\/week<\/code><\/p>\n<p>ii)<a href=\"http:\/\/www.void.gr\/kargig\/blog\/wp-content\/iroffer-files.tar.gz\">iroffer-files.tar.gz<\/a><br \/>\nListing:<br \/>\n<code>.--\/<br \/>\n.--\/imd.pid<br \/>\n.--\/imd.state.tmp<br \/>\n.--\/imd.state<br \/>\n.--\/linux<\/code><\/p>\n<p><em>Mind the . (dot) of the directories containing the files.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>That&#8217;s why I love ossec: OSSEC HIDS Notification. 2009 Oct 06 17:45:17 Received From: XXXX-&gt;rootcheck Rule: 510 fired (level 7) -&gt; &quot;Host-based anomaly detection event (rootcheck).&quot; Portion of the log(s): Rootkit &#039;Suspicious&#039; detected by the presence of file &#039;\/var\/www\/vhosts\/YYYY.com\/httpdocs\/album_mod\/..&nbsp;&nbsp;\/&#8230;\/.log&#039;. &#8211;END OF NOTIFICATION OSSEC HIDS Notification. 2009 Oct 06 17:45:17 Received From: XXXX-&gt;rootcheck Rule: 510 fired [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[3],"tags":[216,595,217,218,176,206,185],"class_list":["post-867","post","type-post","status-publish","format-standard","hentry","category-linux","tag-iroffer","tag-linux","tag-ossec","tag-process-hider","tag-rootkit","tag-security","tag-vulnerability"],"aioseo_notices":[],"views":11427,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=867"}],"version-history":[{"count":6,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/867\/revisions"}],"predecessor-version":[{"id":875,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/867\/revisions\/875"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}